| Lessiter2 2005-02-15, 2:54 am |
| I'm trying to disable all encryption protocols but TLS 1.0 while running
IIS5/Win2k.
I've followed the directions in KB245030 "How to Restrict the Use of Certain
Cryptographic Algorithm Protocols in Schannel.dll", and created a .reg file
to import directly from the text (non-export) in the KB article. Once the
registry changes were imported, I rebooted the IIS5 server.
The problem comes when I connect to the server with an IE 6 client.
If I set the "Use TLS 1.0" option on the IE client (Tools/Internet
Options/Advanced/Use TLS 1.0), the client connects to the server and
negotiates a TLS 1.0 connection properly (which is fine, and how it's
supposed to function).
However, if I turn the "Use TLS 1.0" setting off at the IE client, the IIS5
server and the IE client negotiate an SSLv3 connection, even though I
specifically disabled SSLv3 (and everything else but TLS 1.0) on the IIS5 box
through the registry keys provided in the KB article mentioned above.
So, the problem is, how do I force the IIS 5 box to not accept any SSL
connections that aren't negotiated at TLS 1.0?
-Running Win2k Server SP4 with IIS5 and the latest patches as of 14-Feb.
-Reinstalled SP4 this afternoon to no avail.
-No GPO in place forcing specific encryption protocols.
|